If IAM is comprised of three simple tasks, how does it get so complex:

Role Based Functionality - Different users want (and need) different functionality from the same resource

Federation/Partnerships/Trust – Many time we are authenticating a user (or application) based on an established trust relationship

Securing communications – Keeping data and transactions secure

Encryption - Secure from being viewed

Signature – Secure from modifications

Transport Layer - At what transport layer(s) should security be imposed

Authentication Schemes – There are many ways to authenticate, some are more secure than others. Some authentications are not available in all environments. Most Authentication Schemes need maintenance (password policies, replacement certs and tokens, CRLs, software vulnerabilities, etc.).

Data – There is many types of data. There is different specifications, regulations and procedures that dictate how data should/must be handled. Even when an individual is allowed access to data, they should be restricted to only the data that is needed for the given task.

Personal Data

Corporate Data

Intellectual Property Data

Public Data

Transnational Data

I find that identity and access management gets complex as a company grows and expands. You can move that complexity around, but there will be complexity.

I find the essential parts of a manageable solution are:

Planning – Here we can capture the requirements and capabilities of the components that make up a solution.

Architecting

Documenting – This step is crucial; you will keep returning to the documentation in future steps and modifications to the solution.

Implementation – Implementing the solution

Educating – The people using your infrastructure need to be a part of the security solution.

Repeat - Repeat process as needed to improve and deal with additional changes/needs

Each one of these is just a bullet point and could be expanded on, but I wanted to give a general outline. The main point here is security can no longer be neglected in today’s corporate, government or educational institutions. Just reading the news daily; you will find security breaches, and their costs, are having a real negative impact.